Client Success Story - Implementing ServiceNow GRC for compliance at Engineering & Construction Firm
As a global leader in the engineering and construction sector, the Chief Information Security Officer approved a new initiative in 2018 for the IT Information Security organization to improve the overall compliance and security risk assessment for their network of global datacenters and project sites.
- As a security audit practice, the Information Security organization performs annual security audits for their primary locations following the ISO-27001 standards that includes all legal, physical and technical controls involved in their information risk management processes. The existing ServiceNow customer elected to implement GRC to meet their program objectives.
- Over the course of a four-month initiative we implemented the following capabilities for the client:
- Implemented Policy Compliance & Audit Management modules
- Custom issue management extension
- Updated audit reporting and SLA workflows
- Published IT Security Standards to the GRC knowledgebase
- Defined and loaded 200+ policy statements with elements from both ISO27001 & ISO27002
- Generated over 3000+ controls based on the policy statements and defined profiles
- Extended the Audit Engagement module to manage follow-on activities documented as issues during audit
- Implemented a custom 5×5 risk scoring system based on issue type, category, rating & probability
- Implemented SLAs and notification reminders for upcoming audit follow-on activities coming due
Recently, the customer provided feedback that the GRC implementation has met all of their initial goals and objectives. As new audits occur, each regional office began using GRC to initiative, track, and record the audit findings in a central repository. GRC eliminated the cumbersome legacy process of tracking and recording audit results in spreadsheets and storing the results in SharePoint. As the use of GRC expands, the customer has plans to further automate audit reporting and improve the remediation process of high-risk audit findings.
Technology & Tools
Governance, Risk & Compliance, Policy & Compliance, Audit Management, ServiceNow GRC, ServiceNow Policy Compliance & Audit Management
Agile, ISO27001, ISO27002